Response to the Office Action of April 29, 2009 
Serial No. 10/733,326 



Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 

application. 
Listing of Claims: 

1 . (currently amended) A method of secure session management for a web farm, the web farm 
including a first server and a second server, the second server having a requested web page, 
the method comprising: 

receiving, at the first server, a request for the requested web page from a browser, said 
request including an encrypted session token associated with a session : 

decrypting said encrypted session token at the first server to obtain a d e crypt e d sess i on 
teke ft session ID and a timestamp ; 

redirecting said request to the second server, including transmitting said soss i on tokon 
session ID and said timestamp directly to the second server; and 

verifying said decrypted session tok e n . 

2. (previously amended) The method claimed in claim 1 , further including creating a new session 
token, encrypting said new session token at the second server to produce a new encrypted 
session token, and transmitting a response to said browser from the second server, wherein 
said response includes said new encrypted session token. 

3. (currently amended) The method claimed in claim 2, wh e re i n sa i d decrypted soss i on tokon 
i nc l udes a soss i on I D and a t i m e stamp, and wherein said creating a new session token includes 
generating a new session ID and updating said timestamp. 
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4. (currently amended) The method claimed in claim 2, further including updating a common 
session database by replacing said d e crypt e d sossion tok o n session IP and said timestamp with 
said new session token in said common session database. 

5. (cancelled) 

6. (currently amended) The method claimed in claim § 1, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying includes 
comparing said session ID and said timestamp with said stored session ID and said stored 
timestamp. 

7. (currently amended) The method claimed in claim § 1., further including determining whether 
[[a]] said session has timed out, said step of determining including determining an elapsed time 
between said timestamp and a current server time, and comparing said elapsed time with a 
predetermined maximum time to determine whether said session has timed out. 

8. (previously amended) The method claimed in claim 7, including closing said session if said 
session has timed out. 

9. (currently amended) The method claimed in claim 1 , wherein said transmitting includes 
incorporating said decrypted c e ss i on tokon session ID and said timestamp into a URL. 

10. (currently amended) The method claimed in claim 1, wherein a session management web 
service performs said verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
decrypted s e ssion tok e n session ID and said timestamp with stored session data. 

1 1 . (Original) The method claimed in claim 10, wherein the web farm further includes a common 
session database containing said stored session data. 

12. (Original) The method claimed in claim 1, wherein said requested web page includes a web 
resource selected from the group including an applet, an HTML page, a Java server page, and 
an Active server page. 
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13. (currently amended) A system for secure session management, the system being coupled to 
a network and receiving a request for a requested web page from a browser via the network, the 
request including an encrypted session token, the system comprising: 

a first server including a first request handler for receiving the request and decrypting the 



a second server including the requested web page; 

a common session database including stored session data; and 

a session management web service, accessible to said first server and said second 
server and including a validation component for comparing said decrypted s e ss i on tokon 
session ID and said timestamp with said stored session data; 

said first request handler adapted to redirect the request to said second server and 
transmit the d e crypt e d s e ssion tok e n session ID and said timestamp directly to said 
second server. 

14. (Original) The system claimed in claim 13, wherein said session management web service 
includes a token generator for creating a new session token for said second server, and wherein 
said second server includes a second request handler, said second request handler encrypting 
said new session token to produce a new encrypted session token and transmitting a response 
to said browser, wherein said response includes said new encrypted session token. 

15. (currently amended) The system claimed in claim 14, whoro i n said d e crypt e d session tok o n 
inc l ud e s a s e ssion I D and a t i m e st a mp, and wherein said token generator generates a new 
session ID, and updates said timestamp based upon a current server time. 

16. (currently amended) The system claimed in claim 14, wherein said session management 
web service replaces said d e crypt e d session tokon session ID and said timestamp within said 
common session database with said new session token. 




session ID and a 
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17. (cancelled) 

1 8. (currently amended) The system claimed in claim 47 14, wherein said stored session data 
includes a stored session ID and a stored timestamp, and wherein said validation component 
compares said session ID and said timestamp with said stored session ID and said stored 
timestamp. 

19. (currently amended) The system claimed in claim 47 14, wherein said validation component 
further determines an elapsed time between said timestamp and a current server time, and 
compares said elapsed time with a predetermined maximum time to determine whether a 
session has timed out. 

20. (Original) The system claimed in claim 19, wherein said session management web service 
closes said session if said validation component indicates said session has timed out. 

21. (currently amended) The system claimed in claim 13, wherein said first request handler 
incorporates said d e crypt e d s e ssion token session ID and said timestamp into a URL in order to 
transmit said session token to said second server. 

22. (Original) The system claimed in claim 13, wherein the requested web page includes a web 
resource selected from the group including an applet, an HTML page, a Java server page, and 
an Active server page. 

23. (currently amended) A computer program product having a computer-readable medium 
tangibly embodying computer executable instructions for secure session management for a web 
farm, the web farm including a first server and a second server, the second server having a 
requested web page, the computer executable instructions including: 

computer executable instructions for receiving, at the first server, a request for the 
requested web page from a browser, said request including an encrypted session token 
associated with a session ; 




computer executable instructions for decrypting said encrypted session token at the first 




server to obtain a 
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computer executable instructions for redirecting said request to the second server, 
including computer executable instructions for transmitting said d e crypted sossion tokon 
session ID and said timestamp directly to the second server; and 

computer executable instructions for verifying said d e crypted session tok en. 

24. (Original) The computer program product claimed in claim 23, further including computer 
executable instructions for creating a new session token, encrypting said new session token at 
the second server to produce a new encrypted session token, and transmitting a response to 
said browser from the second server, wherein said response includes said new encrypted 
session token. 

25. (currently amended) The computer program product claimed in claim 24, wh e re i n sa i d 
d e crypted - s e ss i on token i nclud e s a sossion ID and a tim e stamp, and wherein said computer 
executable instructions for creating a new session token include computer executable 
instructions for generating a new session ID and updating said timestamp. 

26. (currently amended) The computer program product claimed in claim 24, further including 
computer executable instructions for updating a common session database by replacing said 
d e crypt e d s e ss i on tokon session ID and said timestamp with said new session token in said 
common session database. 

27. (cancelled) 

28. (currently amended) The computer program product claimed in claim 2-? 23, wherein a 
common session database contains a stored session ID and a stored timestamp, and wherein 
said computer executable instructions for verifying include computer executable instructions for 
comparing said session ID and said timestamp with said stored session ID and said stored 
timestamp. 

29. (currently amended) The computer program product claimed in claim 2? 23, further including 
computer executable instructions for determining whether [[a]] said session has timed out, said 
computer executable instructions for determining including computer executable instructions for 
determining an elapsed time between said timestamp and a current server time, and comparing 



Page 6 of 14 



Response (o the Office Action of April 29, 2009 
Serial No. 10/733,326 

said elapsed time with a predetermined maximum time to determine whether said session has 
timed out. 

30. (Original) The computer program product claimed in claim 29, including computer executable 
instructions for closing said session if said session has timed out. 

31. (currently amended) The computer program product claimed in claim 23, wherein said 
computer executable instructions for transmitting include computer executable instructions for 
incorporating said decrypted c e ss i on tokon session ID and said timestamp into a URL. 

32. (currently amended) The computer program product claimed in claim 23, wherein said 
computer executable instructions for verifying comprise a session management web service, 
said session management web service being accessible to said first server and said second 
server, and wherein said computer executable instructions for verifying include computer 
executable instructions for comparing said d e crypt e d sess i on toke n session ID and said 
timestamp with stored session data. 

33. (Original) The computer program product claimed in claim 32, wherein the web farm further 
includes a common session database containing said stored session data. 

34. (Original) The computer program product claimed in claim 23, wherein said requested web 
page includes a web resource selected from the group including an applet, an HTML page, a 
Java server page, and an Active server page. 
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